Red Team Tips

Last updated 4 days ago

Overview

The following "red team tips" were posted by myself, Vincent Yiu (@vysecurity) over Twitter for about a year. This is still on-going but I took the opportunity to publish these in one solidified location on my blog. These will be updated ocassionally, but will not be bleeding edge updates. To receive my "red team tips", thoughts, and ideas behind Cyber attack simulations, follow my Twitter account @vysecurity.

For the full Tweet and thread context (a lot of my followers will comment and give their insights also), visit Twitter.

Red Team Tips

Red Tip #1: Profile your victim and use their user agent to mask your traffic. Alternatively use UA from software such as Outlook.

Red tip #2: If the enemy SOC is using proxy logs for analysis. Guess what? It wont log cookies or POST body content as can be sensitive.

Red tip #3: Taking a snapshot of AD can let you browse, explore and formulate future attacks if access is lost momentarily.

Red tip #272: Aquatone is a DNS discovery tool https://github.com/michenriksen/aquatone…. Finds some interesting subdomains that I’ve not seen in some other sources. :D for ex one time it found me a VPN hostname format that I could then simply brute all combinations to discover more.

Red tip #273: 41GB Password dump is a good place to get an idea of username and email formats for target. Also if there are multiple formats in use.

Red tip #274: Password cracking is hard. I love Top297Million-Probable, rockyou was decent for a quick smash, but lately found out about Keyboard Walks. Add keyboard walks with rules into your cracking routines to get more hashes cracked! https://github.com/hashcat/kwprocessor … Share your ideas!

Red tip #275: Use Exchange timing attacks to narrow down a predicted list of emails down to an accurate list. Better than checking for bounces. @dafthack https://github.com/dafthack/MailSniper … implements this attack.

Red tip #276: Embed UNC paths into e-mails to leak a hash from the occasional work from home or travelling employee. Several mitigation’s for this such as setting no automatic authentication in inetcpl.cpl and use of the host based firewall.
Try using a generic email template.

Red tip #277: Got administrative rights across the domain but can’t hit certain network segments? Be sure to check out web apps, many places and web apps support “script execution” for administrators. Get a shell and try to hit the target segment from the web app.

Red tip #278: Using net users isn’t the only way to get users from AD. You don’t always need to do it from the endpoint. If EDR is an issue connect to web apps and use intranet, mail, dev stack and other tools to obtain user lists and groups.

Red tip #279: If you can’t beat EDR, go around it! @_RastaMouse

Red tip #280: GPO Misconfigurations are more common than you might think! Not talking about good old cpassword but also file permissions and editable scripts. Check out https://github.com/l0ss/Grouper by @mikeloss that automates this!

Red tip #281: @PyroTek3 has documented lots of AD security related information. Probably not a pure red tip but knowing whether and how the blue team or target might fix an issue definitely helps when trying to discover if they’re vulnerable as well as the reporting phase.

Red tip #286: Look for pentest and Security reports. Inboxes, file shares, intranets. Replicate vulnerabilities that other people find and report but haven’t been fixed. I’ve done this so many times because client decrypts a report and archives it in clear text.

Red tip #293: @evilcos has gotten ZoomEye back up! If you’ve not used ZoomEye I recommend trying it out. You might get differing results to existing tools! https://www.zoomeye.org/​

Red tip #294: If you’re using cloud infrastructure for listening posts / redirectors it’s worth checking the IP against known black lists. Just so that it doesn’t end up tainting the reputation of associated domains!

Red tip #296: CACTUSTORCH weaponises James Forshaw’s Dotnet2js research. Allows shellcode execution in JS and HTA files as well as an alternate for Macros. This is being used in the wild and you should know about it! It’s proved useful in EDR cases too! https://github.com/mdsecactivebreach/CACTUSTORCH​

Red tip #297: Domain Admins is not the only privileged group. Account Operators, Backup Operators, DNS Admins and more exist. Read up with @pyrotek3 https://adsecurity.org/?p=3700​

Red tip #298: Backup images on disk with world readable access rights. I see this ALL THE TIME. Check out https://rastamouse.me/2018/02/vhd-to-da/ by @_rastamouse teaching us how to read VHD without transferring 50 GB.

Red tip #301: Your customers security is dependent on yours. With that requirement, I recommend writing a PowerShell script that makes a mobile push to your phone every time you unlock or startup your machine. Similar for SSH onto servers.

Red tip #303: Look for open S3 buckets using https://github.com/sa7mon/S3Scanner I found 1400 buckets in about 1 hour. Good practice to make sure your client isn’t vulnerable to such attacks and if In red team you might be able to use it to serve payload stages or create waterhole attacks. In total I found over 6000.

Red tip #304: Phish creds on target sites. Forums and other areas let you post image links. [img]url/cat.png[/img] for example. Use https://github.com/vysec/basicAuth , set PNG as a PHP execution extension. Embed that PNG and whenever someone visits the page it will prompt for credentials.

Red tip #305: Why are privileged / admin user code execution vulnerabilities a thing in web app reports? Because if you’re privileged and can execute code on a web app, you can use it to Pivot into segments, extract secrets from the box, intercept comms, and all that good stuff.

Red tip #306:

"The supreme art of war is to subdue the enemy without fighting"

In my opinion: get to the goal without having to privesc and move laterally or compromise unnecessary assets or cause collateral damage and noise.

Red tip #308: List RDP connections history with @3gstudent https://github.com/3gstudent/List-RDP-Connections-History … Useless in times where you don’t have a GUI. I’d combine it with cmdkey to see what’s in vault to figure out where the user may have access :) #redteam #pentest #security

Red tip #309: If DMARC policy is set to the root domain, but not sub domains, check if subdomain policy is applied. If not, spoof from arbitrary subdomains instead :)

Red tip #310: SOC is looking for low user/access count new domains that haven't been seen before and you can't domain front due to RFC2616 proxy? When doing the phish, add invisible image links to your C2 domain so that multiple users will have loaded the C2 domain before use. By the time the domain is used, it won't be a low number of users who have accessed the domain, it can be like 20. Then when the C2 goes in, it's no longer new and low user count. And just to be safe, I'd load unused domains too, like ones that don't belong to you. So that the SOC can go on a wild goose chase even if they think they know what you're doing. Even better, load a JS snippet that just keeps reloading resources from the websites so that there's more hit count per user :D

Red tip #311: Check out goaccess -> apt-get install goaccess. Then goaccess -f /var/log/nginx/access.log Pretty cool! Now you can see who's hitting your redirector and what they're grabbing at all times in live view? Good for red team dash boards.

Red tip #312: Sandboxes run Macros without prompting right? What if you wrote your Macro to check that it’s set to run without prompting and don’t run? :) only run if it’s on enable content setting... which is more likely to be observed in a real environment.

Red tip #318: Need a way to manage high-level and performed actions per day? @xmind might be a good tool to help you do that. You can arrange per day on major actions performed, you can also put notes into it. https://www.xmind.net/zen/​

Red tip #319: Builtwith is pretty useful for linking domains using trackers. It also does Shared IP / infrastructure links and displays technologies used. https://builtwith.comthanks to @Jhaddix for pointing it out in his @Bugcrowd talk!

Red tip #321: Want to find out if the current network has an external exposed interface? Eg. Wireless networks? An easy way is to visit https://ifconfig.co/port/80 on port 22,80,443 for a quick idea. You might find that your current network has another way in!

Red tip #322: Logging the date and time is really important. Go to http://bashrcgenerator.com and generate a fancy looking, and useful time on your terminal for bash. I combine this with script ~/OPNAME_DATE.txt.

Red tip #323: Recruiters adding you on LinkedIn? Make the most out of it! 1) Recruitment / Job templates for use in campaigns, 2) Job site you can clone / reference when making your own, 3) Second and third degree connections to target organisations!

Red tip #324: Easy way to get Microsoft tenant ID: https://login.windows.net/companyname.onmicrosoft.com/.well-known/openid-configuration. Not sure why when I Google Tenant ID, people censor it out when it's publicly accessible without any authentication. Bunch of interesting output from the request anyhow.

Red tip #325: WPA2 PSK can be cracked on Hashcat too, just in case you were not aware. All you do is make cap2hccapx https://github.com/hashcat/hashcat-utils … then convert the handshake CAP file to HCCAPX then crack it in Hashcat mode 2500 :)

Red tip #326: WHOIS Protection in place on domains? Try get WHOIS information from the Autonomous System Number then use that to perform reverse WHOIS to find additional domains. https://dnslytics.com/bgp/us​

Red tip #327: Hashcat doesn't run through special characters if you use -a 3 for passwords of length < 6. Use -a 3 -1 ?u?l?s ?1?1?1?1?1 instead.

Red tip #328: Need to Spray Office365? Use https://bitbucket.org/grimhacker/office365userenum. Tried and tested this tool and works really fast and well in Python. Just do --threads 3000 and --password Welcome1. As all operators know, you don't have time to be testing tools in the middle of a gig. :)

Red tip #329: Running a long gig? Use CloudFlare certificate that lasts 15 years instead of LetsEncrypt. LetsEncrypt lasts like 3 months and requires renewal. If you're domain fronting you don't want to be changing and updating certs to prevent 502 errors.

Red tip #332: If you're new to Red Team, or are performing a complex series of campaigns and attacks then I recommend using a WHITEBOARD. Yes, a whiteboard. It helps to draft out attacks, list out infrastructure, lets you visualize your campaign chain.

Red tip #334: Don’t spend too much time fixated on a rabbit hole. In a CTF you know you can “try harder” but in real life you often have to kick back and rethink what you’re doing. There’s so many times where I’ve found a way to pivot and continue after some good rest.

Red tip #335: Use copy with the /z flag to make resumable file transfers on Windows. @guyrleech​

Red tip #336: Technical teams often pride themselves on technical capabilities and complexity. In real operations, less is more. The more simple and effective a solution or campaign is, the better. You most probably don’t need that mega complex payload or exploit path.

Red Tip #337: Have a low privileged Office365 account? Pivot over to portal.azure.com after logging in and you can access the Azure AD. If they're syncing AD you suddenly get to view all the groups. Also check out Azure CLI. From @ustayready's @WWHackinFest talk!

Red tip #338: Geographical TTPs should be kept in mind. TTPs that may not be as effective in one location may work wonders in another. Consider defensive solutions, legislation, export controls, compliance etc on that organization within different regions.

Red tip #339: Effective TTPs can differ depending on industry or organization size. An example may be that SMEs may be more likely vulnerable to a credential stuffing attack compared to a global financial organization because less policies around password rotation and expiry.

Red Tip #340: Not sure what countries your target operates in? Find out where all their servers are at least! Automate all the IP -> lat long and then use a Mapping framework to visualize. Works great.

Red Tip#341: VPNHunter can be used to automatically map out some common services such as VPN and dependent cloud services. http://VPNHunter.com ​

Red Tip #342: If you're running C2 Infrastructure, at least age the domain, build reputation, and SERVE SOME CONTENT on the web root. Oh yeah, don't forget to use VALID CERTIFICATES also.